Hide Forgot
SELinux is preventing /usr/lib/cups/backend/mfp from 'execute' accesses on the file /usr/lib64/libmfp.so.1.0.1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mfp should be allowed execute access on the libmfp.so.1.0.1 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mfp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects /usr/lib64/libmfp.so.1.0.1 [ file ] Source mfp Source Path /usr/lib/cups/backend/mfp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux fedora.pinecrest 2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64 Alert Count 8 First Seen Fri 06 May 2011 06:43:40 BST Last Seen Mon 13 Jun 2011 10:25:25 BST Local ID ae6f087d-3d58-47b5-909e-920f2f1e987f Raw Audit Messages type=AVC msg=audit(1307957125.323:290): avc: denied { execute } for pid=20880 comm="mfp" path="/usr/lib64/libmfp.so.1.0.1" dev=dm-0 ino=149982 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1307957125.323:290): arch=x86_64 syscall=mmap success=no exit=EACCES a0=359ca00000 a1=906b30 a2=5 a3=802 items=0 ppid=20877 pid=20880 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=mfp exe=/usr/lib/cups/backend/mfp subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: mfp,cupsd_t,admin_home_t,file,execute audit2allow #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t admin_home_t:file execute; audit2allow -R #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t admin_home_t:file execute;
This file "libmfp.so.1.0.1" was moved from /root to /usr/lib64. When you move a file , you also move its context. The cupsd_t is not allowed to execute files with the admin_home_t type. Please run: restorecon -v /usr/lib64/libmfp.so.1.0.1 This will reset the type of the libmfp.so.1.0.1 to lib_t, which is the default type for files in /usr/lib64. When you move a file be sure to run restorecon over the target. When you use cp instead of mv, the target will get the default type of the target location as opposed to using mv.
Please run # restorecon -v /usr/lib64/libmfp.so.1.0.1 as Dominick suggests and remove your local policy with this rule. # semodule -r mypol
Thanks. Apologies for opening unnecessary bug.
No problem.